Critical infrastructure: Off the web, out of danger?

Taylor Armerding |
March 23, 2017

While most of those systems are not directly connected to the internet, critics say there are still plenty of ways for hostile actors to get control of them.

Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC), said many people believe that all three major components of the grid – generation, transmission and distribution – are internet facing.

Sachs agreed that cyber attacks have caused damage to energy infrastructure in other parts of the world – the 2015 hack of the energy grid in Ukraine took out power for several hours to 225,000 people. But he told the audience the North American grid is exponentially less vulnerable because of its, “diversity and separation of infrastructure.”

“The threat is real and the risks are high, but our exposure is low,” he said, contending that it would take physical access to control systems to interfere with their operation. That, he said, is possible but highly unlikely.

This doesn’t mean there are no internet connections in the overall industry – there are many in the corporate networks and the distribution of power to customers. “But that’s at the edge, where you’re flipping the lights on or off,” he said. “We see power companies get spammed and phished all the time. We see ransomware. But even if the lights go out locally, the grid is still working.”

That was essentially the message from former Director of National Intelligence James Clapper, in a “statement for the record” about 18 months ago to the House Permanent Select Committee on Intelligence. Clapper said he believed the chances of a “Cyber Armageddon” are remote.

Nor has it convinced every other expert in the ICS field either. Joe Weiss, managing partner at Applied Control Systems, vehemently disagreed, calling Sachs’s comments, “bizarre … beyond the realm of credibility.

“Cyber can bring down the grid for months,” he said, adding that the “diversity” of power companies is essentially a mirage, since there are only “eight to 10 vendors worldwide” that manufacture the kind of generators used in ICSs.